Uber breach, cover-up trigger government probes around the globe

FILE PHOTO: A photo illustration shows the Uber app on a mobile telephone, as it is held up for a posed photograph, in London, Britain November 10, 2017. REUTERS/Simon Dawson/File Photo

By Jim Finkle and Heather Somerville

TORONTO (Reuters) - Governments around the globe launched investigations into Uber Technologies Inc [UBER.UL] after the company disclosed it had covered up a breach that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.

Authorities in Britain and the United States, two top Uber markets, as well as Australia and the Philippines said on Wednesday they would investigate the company's response to the data breach.

Some U.S. lawmakers called for Congressional hearings and implored the Federal Trade Commission (FTC) to look into the matter.

Uber said on Wednesday that it has been in touch with the U.S. Federal Trade Commission (FTC) and several states to discuss a hack last year that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.

"We've been in touch with several state Attorney General Offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward," an Uber spokesperson said in a emailed statement.

Uber said on Tuesday that in late 2016 it had paid hackers $100,000 to destroy data on more than 57 million customers and driver stolen from the company and decided not to report the matter to victims or authorities.

The company's chief executive had acknowledged in a Tuesday blog that the company had erred in handling the breach. (http://ubr.to/2AmxlQt)

The money-losing ride-hailing service is known for the tough stance it has taken against regulators as it seeks to aggressively expand and compete with existing taxi services.

Attorneys general in at least four U.S. states, Connecticut, Illinois, Massachusetts and New York, said they had launched investigations into the breach.

“We have serious concerns about the reported conduct,” Massachusetts Attorney General Maura Healey said in a statement.

U.S. Senator Richard Blumenthal took to Twitter to call for the FTC to investigate Uber, describing the company's behavior as "inexplicable" and asking for the FTC to impose "significant penalties."

The FTC, which investigates companies accused of being sloppy with consumer data, said it was looking into the matter, but declined to say if it had launched a formal investigation.

"We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised," an FTC spokesman said.

U.S. Representative Frank Pallone called for a Congressional hearing.

"If Uber did indeed secretly pay-off the hackers to keep the breach quiet, then a possible cover up of the incident is problematic and must be investigated," Pallone said in a statement.

Britain's data protection authority said it would work with agencies in the United Kingdom and overseas to investigate the matter.

"If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed," James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner's Office, said in a statement.

British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.

The stolen information included names, email addresses and phone numbers of 57 million Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, according to a blog post by Uber's new chief executive, Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.

Uber said it fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week over their role in the incident. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Sullivan declined comment. Clark could not be reached for comment.

Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.

A stream of executives have left Uber in recent months amid controversies involving sexual harassment, data privacy and business practices in Asia. The board removed Kalanick as CEO in June.

London's transport regulator recently pulled Uber's operating license, saying the company failed to deal with public safety and security issues. Uber is appealing the decision.

The agency said on Wednesday it was seeking more information about the breach.

"We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London," a Transport for London spokesman said.

Uber said earlier this month it had struck an agreement to allow Japan's SoftBank Group <9984.T> to invest up to $10 billion, most of it by buying shares from existing investors. The final price has yet to be decided, and SoftBank could back out if not enough Uber investors are willing to sell at the right price.

(Reporting by Jim Finkle in Toronto and Heather Somerville in San Francisco; Additional reporting by Diane Bartz in Washington; Editing by Meredith Mazzilli and Nick Zieminski)